5 Best Practices for Manufacturing Cybersecurity
A Department of Defense (DoD) push to protect data by vetting suppliers more thoroughly illuminates how any CNC machining business can improve.
Is your customers’ data secure? Most leaders of CNC machining businesses likely would say “yes,” but answering in the affirmative is no longer enough for those seeking sensitive defense-industry work. The struggle to meet new government standards shows the extent to which basic cybersecurity best practices can differentiate not only these manufacturers, but virtually any shop trusted with sensitive data.
Our expansive July 2019 issue cover story, “How to Become a Defense Supplier,” touched on more than cybersecurity.
This was the subject of a recent conversation with David Watts, solution consultant at Avatara, an information technology firm that is focusing on helping small- and mid-sized manufacturers meet new Department of Defense (DoD) requirements. More specifically, Avatara is helping DoD suppliers prepare for Cybersecurity Maturity Model Certification (CMMC). While current regulations dictate that DoD suppliers constantly track and update their own security policies and report on progress, the new CMMC requires answering to third-party auditors, and doing so prior to the awarding of a contract rather than after the fact. “A lot of manufacturers are going to be caught flat-footed,” Mr. Watts says.
National security implications aside, Mr. Watts says a crisis for some can present opportunity for others. Based on Avatara’s experience with customers so far, the most significant areas of weakness involve practices and procedures that are rudimentary by modern cybersecurity standards, even if they take time and effort to implement. As he puts it, “If you don’t do this stuff, you’re nowhere near ready for CMMC. But really, a lot of it could be viewed as basic best practices for anyone.” Examples include:
Training Regularly
Although the specifics had not been published at the time of this writing, the CMMS builds directly on the current National Institute for Technology (NIST) 800-171 standard, which already specifies training for key employees. “You’ll have to show the auditors, ‘Here are the training sessions, here are which ones we passed and failed, and here’s what we’re doing about it if we failed,’” Watts says.
Even without auditing, staying up to date is essential because threats are ever-evolving, he says. For example, security technology might not be enough for shops that do not appreciate the power of social engineering tactics. Phishing, or the sending of fake emails to obtain passwords or other information, is a classic example. “Just having a firewall in place is not enough to prevent that,” he says, adding that formal training should include practicing fake attacks. “It’ll tell you ‘Bob clicked this link seven times,’ and then you can tailor your training to Bob.’”
Requiring Strong Passwords
Password policies — that is, the rules governing what makes a good password — could explain part of the reason for the prevalence of tactics like phishing. Mr. Watts says that following best practices for passwords is a requirement for CMMC Level 3, the minimum level of certification for most CNC machining businesses seeking DoD contracts. Examples include requirements for certain numbers of characters and symbols; requirements that passwords change regularly; limits on using identical passwords; and limits on log-in attempts.
Requiring Multi-Factor Authentication
Multi-factor authentication refers to the use of multiple means — that is, more than just a password — to verify that users are who they say they are. For instance, a bank might ask for both a log-in ID and the answers to personal security questions. This is good practice in general, but necessary for CMMC, Mr. Watts says.
Monitoring for Threats
As is the case with current NIST standards, CMMC requires monitoring incoming and outgoing data to detect attacks and potential indicators of attacks, Mr. Watts says. Examples include malicious code, communications with external systems, unusual traffic patterns and so forth. Likewise, records of data crossing a network are necessary to identify attackers, weak points and more in the event of a security breach.
Considering Security Beyond the Virtual
One of the simplest ways to steal sensitive data is to simply plug a USB stick into a computer or server. For its part, Avatara maintains all customers’ data in a private data center environment. Servers lack a port for any removable media, and are locked behind biometric access points and defended by armed guards. Manufacturers that opt to maintain their own information technology infrastructure may not go to these lengths, but precautions might be warranted even if the risk is more to a shop’s own financials rather than national security.
Related Content
Can ChatGPT Create Usable G-Code Programs?
Since its debut in late 2022, ChatGPT has been used in many situations, from writing stories to writing code, including G-code. But is it useful to shops? We asked a CAM expert for his thoughts.
Read More5 Tips for Running a Profitable Aerospace Shop
Aerospace machining is a demanding and competitive sector of manufacturing, but this shop demonstrates five ways to find aerospace success.
Read MoreAutomating Part Programming Cuts the Time to Engaging Work
CAM Assist cuts repetition from part programming — early users say it could be a useful tool for training new programmers.
Read More6 Machine Shop Essentials to Stay Competitive
If you want to streamline production and be competitive in the industry, you will need far more than a standard three-axis CNC mill or two-axis CNC lathe and a few measuring tools.
Read MoreRead Next
When It Comes to Cybersecurity, Be Scared, but Be Prepared
Warnings about threats to internet-enabled networks in manufacturing plants should be taken seriously without giving in to alarmist overreactions. The risks are real, but manageable, while the benefits are too compelling to forego.
Read MoreCybersecurity for Job Shops
Small and medium-size machining job shops can take steps to protect computerized or networked assets such as CNC machines from cyber attacks.
Read More